- From: Marcos Cáceres <notifications@github.com>
- Date: Thu, 20 Mar 2025 05:05:23 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 20 March 2025 12:05:27 UTC
marcoscaceres left a comment (w3c/manifest#910) This is both applicable and not... firstly, upon reflection, we should not assume there is a client at all because the way this is commonly implemented is that the manifest structure is handed off to the OS to deal with... once it enters the OS, it no longer has a (web) client... it's potentially just using OS-level mechanisms to load the images. From a security perspective, the only assurances that we give is that it's some kind of image format (which yes, it may attempt to attack the OS) - but generally the image formats are considered safe, and CSP doesn't apply anymore as there is no document object or environment settings object at that point (it's all OS widgets). So, we should say *something* ... but we need to figure out what... but it's not a "clients" thing. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/910#issuecomment-2740223664 You are receiving this because you are subscribed to this thread. Message ID: <w3c/manifest/issues/910/2740223664@github.com>
Received on Thursday, 20 March 2025 12:05:27 UTC